search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.36k stars 2.31k forks source link

trivy k8s: --timeout flag #6304

Open chen-keinan opened 7 months ago

chen-keinan commented 7 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6260

Originally posted by **vintury** March 4, 2024 ### Description When the flag '--timeout' is use the scan don't finish in selected timeout. I'm guessing the problem is caused by containers not being able to download. ### Desired Behavior A few days later I see that the process is still running. ``` # ps aux | grep trivy gitlab-+ 22693 0.0 2.3 7965560 188940 ? Sl Mar02 3:17 ./trivy -q k8s -n namespace all -q -f table --report summary --timeout 160m # date Mon Mar 4 13:24:45 +05 2024 ``` Scan don't finish after 160m. ### Actual Behavior Stop process after timeout exists. ### Reproduction Steps ```bash 1. Create namespace with fiew southand pods. I have about 280 Pods and 738 images (86 from dockerhub). 2. Run trivy k8s with flag --timeout 160m 3. Scan don't finish after 160m. ``` ### Target Kubernetes ### Scanner Vulnerability ### Output Format Table ### Mode Standalone ### Debug Output ```bash # trivy k8s -n namespace all -f table --report summary --timeout 160m --debug 2024-03-04T11:46:13.604+0300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-03-04T11:46:13.605+0300 DEBUG Ignore statuses {"statuses": null} 2024-03-04T11:46:42.060+0300 DEBUG cache dir: /Users/user/Library/Caches/trivy 2024-03-04T11:46:42.061+0300 DEBUG DB update was skipped because the local DB is the latest 2024-03-04T11:46:42.061+0300 DEBUG DB Schema: 2, UpdatedAt: 2024-03-04 06:25:04.681863889 +0000 UTC, NextUpdate: 2024-03-04 12:25:04.681863277 +0000 UTC, DownloadedAt: 2024-03-04 08:45:26.675897 +0000 UTC 46.13 KiB / 46.13 KiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms 49 / 238 [----------------------------------------------->______________________________________________________________________________________________________________________________________________________________________________________] 20.59% 0 p/s ``` ### Operating System CentOS Linux release 7.9.2009 (Core) ### Version ```bash # ./trivy --version Version: 0.49.1 ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
chen-keinan commented 7 months ago

@vintury is this has been running in ci pipeline ? I have made a simple test on local cluster (kind) and it did respect timeout

trivy k8s cluster --report summary --timeout 0m5s

Do you mind doing the same test on local cluster and let me know the results ?

vintury commented 7 months ago 
# trivy k8s cluster --report summary --timeout 0m5s
2024-03-26T20:49:19.388+0300    FATAL   get k8s artifacts with node info error: .spec.template.spec.initContainers accessor error: <nil> is of the type <nil>, expected []interface{}

but I think this is not related to my problem

chen-keinan commented 6 months ago 
# trivy k8s cluster --report summary --timeout 0m5s
2024-03-26T20:49:19.388+0300  FATAL   get k8s artifacts with node info error: .spec.template.spec.initContainers accessor error: <nil> is of the type <nil>, expected []interface{}

but I think this is not related to my problem

this issue should be fixed with latest trivy